On (27/03/15 14:01), Orion Poplawski wrote:
I've got IPA running on an EL7.1 box for the domain NWRA.COM. I established a trust with our active directory domain (AD.NWRA.COM). The trust seem to be working mostly correctly, I can auto-login with AD kerberos tickets for example.
However, password authentication for the AD users does not appear to be working:
$ su - orion@AD.NWRA.COM Password: su: Authentication failure
sssd log shows:
(Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [orion@ad.nwra.com] found. (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [get_server_status] (0x1000): Status of server 'ipa.nwra.com' is 'working' (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'europa.nwra.com' is 'working' (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [get_server_status] (0x1000): Status of server 'europa.nwra.com' is 'working' (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa.nwra.com: [X.X.X.X] TTL 86400 (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [17483] (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [17483] (Fri Mar 27 13:51:42 2015) [sssd[be[nwra.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [child_sig_handler] (0x1000): Waiting for child [17483]. (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [child_sig_handler] (0x0100): child [17483] finished successfully. (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response] (0x1000): child response [0][3][40]. (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][18]. (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response] (0x1000): TGT times are [1427485903][1427485903][1427521903][1427572303]. (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [krb5_auth_done] (0x0020): UPN used in the request [Orion Poplawski@AD.NWRA.COM] and returned UPN [orion@AD.NWRA.COM] differ by more than just the case. (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [ipa_auth_handler_done] (0x0040): krb5_auth_recv request failed. (Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
I know that you fixed your problem, but pam error code 4 (System error) should not happend in sssd It means some serious problem.
It can be related to the pevious debug message "krb5_auth_recv request failed."
Could you provide domain log file and krb5_child.log with enabled verbose logging? (put debug_level = 0xfff0 into domain section.
LS